b'        EVALUATION REPORT\n\n                   Independent Evaluation of NRC\xe2\x80\x99s\n                     Implementation of the Federal\n                   Information Security Management\n                        Act for Fiscal Year 2009\n\n                   OIG-10-A-04 November 17, 2009\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n\n\n                                         November 17, 2009\n\nMEMORANDUM TO:             R. William Borchardt\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL INFORMATION\n                           SECURITY MANAGEMENT ACT FOR FISCAL YEAR 2009\n                           (OIG-10-A-04)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) independent evaluation report\ntitled, Independent Evaluation of NRC\xe2\x80\x99s Implementation of the Federal Information\nSecurity Management Act for Fiscal Year 2009 (OIG-10-A-04).\n\nThe report presents the results of the subject audit. Agency comments provided during\nan October 30, 2009, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on the recommendation within\n30 days of the date of this memorandum. Actions taken or planned are subject to OIG\nfollowup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdwin M. Hackett, Executive Director, Advisory Committee on Reactor\n Safeguards\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nStephen G. Burns, General Counsel\nBrooke D. Poole, Jr., Director, Office of Commission Appellate Adjudication\nJames E. Dyer, Chief Financial Officer\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nR. William Borchardt, Executive Director for Operations\nBruce S. Mallett, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Corporate Management\n and Chief Information Officer, OEDO\nNader L. Mamish, Assistant for Operations, OEDO\nKathryn O. Greene, Director, Office of Administration\nPatrick D. Howard, Director, Computer Security Officer\nRoy P. Zimmerman, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n and Environmental Management Programs\nCheryl A. McCrary, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJames T. Wiggins, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nLuis A. Reyes, Regional Administrator, Region II\nMark A. Satorius, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2009\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                   November 6, 2009\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nEXECUTIVE SUMMARY\n\nBACKGROUND\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of an agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n           evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n           external auditor. Office of Management and Budget (OMB) memorandum M-09-29, FY\n           2009 Reporting Instructions for the Federal Information Security Management Act and\n           Agency Privacy Management, dated August 20, 2009, requires the agency\xe2\x80\x99s IG to report\n           their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for IGs via an automated\n           collection tool.\n\n           Richard S. Carson and Associates, Inc. (Carson Associates), performed an independent\n           evaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA\n           for fiscal year (FY) 2009. This report presents the results of that independent evaluation.\n           Carson Associates also submitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions\n           for IGs via OMB\xe2\x80\x99s automated collection tool.\n\n           This report reflects the status of the agency\xe2\x80\x99s information system security program as of\n           the completion of fieldwork on September 30, 2009.\n\nPURPOSE\n\n           The objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s\n           implementation of FISMA for FY 2009.\n\nRESULTS IN BRIEF\n\n           Program Enhancements and Improvements\n\n           Over the past 7 years, NRC has continued to make improvements to its information\n           system security program and continues to make progress in implementing the\n           recommendations resulting from previous FISMA evaluations. In 2007, the Commission\n           approved the establishment of the Computer Security Office. The new office reports to\n           the Deputy Executive Director for Corporate Management and Chief Information Officer\n           (CIO) and is headed by the Chief Information Security Officer (CISO). The CISO plans,\n           directs, and oversees the implementation of a comprehensive, coordinated, integrated,\n           and cost-effective NRC information technology (IT) security program, consistent with\n\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                          i\n\x0c                                                                     Independent Evaluation of\n                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\napplicable laws; regulations; Commission, Executive Director for Operations, and CIO\ndirection; management initiatives; and policies.\n\nThe agency has accomplished the following since the FY 2008 FISMA independent\nevaluation:\n\n   \xef\x82\xb7   The agency made significant progress in certifying and accrediting its systems. In\n       FY 2009, the agency completed certification and accreditation of 12 of the\n       agency\xe2\x80\x99s 22 operational systems and 1 of the agency\xe2\x80\x99s 3 contractor systems. As\n       of the completion of fieldwork for FY 2009, all but one of the operational NRC\n       information systems had a current certification and accreditation, and all three of\n       the systems used or operated by a contractor or other organization on behalf of the\n       agency had a current certification and accreditation.\n   \xef\x82\xb7   The agency completed or updated security plans for 19 of the agency\xe2\x80\x99s 22\n       operational systems and for all 3 contractor systems.\n   \xef\x82\xb7   The agency completed annual security control testing for all agency systems and\n       for all contractor systems.\n   \xef\x82\xb7   The agency completed annual contingency plan testing for all agency systems and\n       for all contractor systems.\n   \xef\x82\xb7   The agency issued several new and updated policies related to the protection of\n       personally identifiable information (PII) including an updated Computer Security\n       Incident Response Policy, an updated PII Breach Notification Policy, an updated\n       Computer Security Information Protection Policy, the Laptop Security Policy, and\n       the Computer Security Policy for Encryption of Data at Rest When Outside of\n       Agency Facilities.\n   \xef\x82\xb7   The agency issued the Agency-wide Rules of Behavior for Authorized Computer\n       Use. The rules of behavior are provided to NRC computer users as part of the\n       annual computer security awareness course, and apply to all NRC employees,\n       contractors, vendors, and agents (users) who have access to any system operated\n       by the NRC or by a contractor or outside entity on behalf of the NRC.\n   \xef\x82\xb7   The agency developed configuration guidance, configuration standards, and\n       standard system security plans for laptops, as well as a new Laptop Security\n       Policy.\n   \xef\x82\xb7   The agency identified all employees with significant IT security responsibilities\n       and developed a plan for ensuring those employees receive appropriate role-based\n       training.\n\nProgram Weaknesses\n\nWhile the agency has made significant improvements in its information system security\nprogram and has made progress in implementing the recommendations resulting from\nprevious FISMA evaluations, the independent evaluation identified two information\nsystem security program weaknesses. One is a repeat finding from the FY 2008\nindependent evaluation, and the other is a repeat finding from several previous\nindependent evaluations.\n\n\n                                        ii\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n           \xef\x82\xb7   The NRC inventory interface information is still inconsistent (repeat finding).\n           \xef\x82\xb7   The quality of the agency\xe2\x80\x99s plans of action and milestones still needs\n               improvement (repeat finding).\n\nRECOMMENDATION\n\nThis report makes one new recommendation to further address the repeat finding concerning the\ninterface information issue. Other recommendations for the repeat findings were made in\nprevious reports.\n\nAGENCY COMMENTS\n\nAt an exit conference on October 30, 2009, agency officials agreed with the report\xe2\x80\x99s findings and\nrecommendation and provided a few editorial changes, which the OIG incorporated as\nappropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                                iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nBPIAD               Business Process Improvement and Applications Division\nCarson Associates   Richard S. Carson and Associates, Inc.\nCIO                 Chief Information Officer\nCIS                 Center for Internet Security\nCISO                Chief Information Security Officer\nCSIRT               Computer Security Incident Response Team\nCSO                 Computer Security Office\nDISA                Defense Information Systems Agency\nFDCC                Federal Desktop Core Configuration\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nIAS                 Information Assurance System\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nIRSD                Information and Records Services Division\nISA                 Interconnection Security Agreement\nISS                 Information System Security\nISSO                Information Systems Security Officer\nIT                  Information Technology\nLoB                 Line of Business\nMD                  Management Directive\nMOU                 Memorandum of Understanding\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSA                 National Security Agency\nNSICD               NRC System Information Control Database\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nP2P                 Peer-to-Peer\nPIA                 Privacy Impact Assessment\nPII                 Personally Identifiable Information\nPMM                 Project Management Methodology\nPOA&M               Plan of Action and Milestones\nSCAP                Security Content Automation Protocol\n\n\n                                           v\n\x0c                                                             Independent Evaluation of\n                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nSGI       Safeguards Information\nSP        Special Publication\nSSN       Social Security Number\nSUNSI     Sensitive Unclassified Non-Safeguards Information\nUS-CERT   United States Computer Emergency Readiness Team\n\n\n\n\n                                 vi\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ...................................................................................... v\n\n1 Background .............................................................................................................. 1\xc2\xa0\n2 Purpose .................................................................................................................... 1\xc2\xa0\n3 Findings.................................................................................................................... 1\xc2\xa0\n  3.1 FISMA Systems Inventory (Question 1) ........................................................ 3\xc2\xa0\n  3.2 Certification and Accreditation (Question 2a) .............................................. 4\xc2\xa0\n            NRC Has Made Significant Progress in Certifying and Accrediting Its Systems........................ 4\xc2\xa0\n    3.3     Security Controls Testing (Question 2b)....................................................... 5\xc2\xa0\n            NRC Has Completed Annual Security Control Testing for All Agency Systems and for All\n                       Contractor Systems ............................................................................................. 6\xc2\xa0\n    3.4     Contingency Plan Testing (Question 2c) ...................................................... 7\xc2\xa0\n            Annual Contingency Plan Testing Was Completed for All Agency Systems and All Contractor\n                          Systems ............................................................................................................... 7\xc2\xa0\n    3.5     Evaluation of Agency Oversight of Contractor Systems (Question 3a) ..... 8\xc2\xa0\n            Agency Oversight of Contractor Systems Meets FISMA Requirements..................................... 9\xc2\xa0\n    3.6     Evaluation of Quality of Agency System Inventory (Questions 3b-3g) ...... 9\xc2\xa0\n            FINDING A \xe2\x80\x93 The NRC Inventory Interface Information Is Still Inconsistent (Repeat Finding)\n                        ........................................................................................................................... 10\xc2\xa0\n    3.7     Evaluation of Agency POA&M Process (Question 4)................................. 11\xc2\xa0\n            FINDING B \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Still Needs Improvement (Repeat\n                          Finding) ............................................................................................................. 14\xc2\xa0\n            NRC Progress in Correcting Weaknesses Reported on Its POA&Ms Is Not Improving........... 16\xc2\xa0\n    3.8     IG Assessment of the Certification and Accreditation Process (Question\n            5) ..................................................................................................................... 16\xc2\xa0\n            The NRC Certification and Accreditation Process Follows the NIST Framework ................... 19\xc2\xa0\n            NRC Is Managing and Operating a Certification and Accreditation Process In Compliance\n                         With Its Policies ................................................................................................ 20\xc2\xa0\n    3.9     IG Assessment of Agency Privacy Program and Privacy Impact\n            Assessment (PIA) Process (Question 6) ..................................................... 20\xc2\xa0\n            Policies That Comply With OMB Guidance in M-07-16, M-06-15, and M-06-16 Exist.......... 21\xc2\xa0\n            NRC Is Managing and Operating a Privacy Program In Compliance With Its Policies............ 23\xc2\xa0\n            A Policy for PIAs Has Been Developed and Documented ........................................................ 24\xc2\xa0\n            NRC Has Fully Implemented Its PIA Policy and is Managing and Operating a Process for\n                           Performing PIAs................................................................................................ 25\xc2\xa0\n    3.10 Configuration Management (Question 7) .................................................... 25\xc2\xa0\n            3.10.1 Security Configuration Policy and Common Security Configurations ..... 25\xc2\xa0\n            NRC Security Configuration Policy .......................................................................................... 26\xc2\xa0\n\n\n\n                                                                        vii\n\x0c                                                                                                     Independent Evaluation of\n                                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n           NRC Security Configuration Policy Implementation Status ..................................................... 27\xc2\xa0\n           3.10.2 Federal Desktop Core Configuration (FDCC).............................................. 29\xc2\xa0\n    3.11 Incident Reporting (Question 8)................................................................... 30\xc2\xa0\n    3.12 Security Awareness Training (Question 9) ................................................. 32\xc2\xa0\n           Annual IT Security Awareness Training ................................................................................... 32\xc2\xa0\n           IT Security Awareness Training for Employees With Significant IT Security Responsibilities\n                         (Role-Based Training)....................................................................................... 33\xc2\xa0\n  3.13 Peer-to-Peer File (P2P) Sharing (Question 10)............................................ 34\xc2\xa0\n4 Report Recommendation ...................................................................................... 37\xc2\xa0\n5 Agency Comments ................................................................................................ 39\xc2\xa0\n\n\nAppendix.              SCOPE AND METHODOLOGY.................................................................... 41\xc2\xa0\n\n\n\nList of Tables\n\n    Table 3-1. Total Number of Agency and Contractor Systems and Number\n               Reviewed by FIPS 199 System Impact Level ...................................................3\xc2\xa0\n    Table 3-2. Total Number of Systems and Number Reviewed That Are Certified\n               and Accredited by FIPS 199 System Impact Level..........................................4\xc2\xa0\n    Table 3-3. Total Number of Systems and Number Reviewed for Which Security\n               Controls Have Been Tested and Reviewed in the Past Year by FIPS 199\n               System Impact Level..........................................................................................5\xc2\xa0\n    Table 3-4. Total Number of Systems and Number Reviewed for Which\n               Contingency Plans Have Been Tested in Accordance With Policy by\n               FIPS 199 System Impact Level..........................................................................7\xc2\xa0\n\n\n\n\n                                                                 viii\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002.2 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. FISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Inspector\nGeneral (IG) or by an independent external auditor. Office of Management and Budget (OMB)\nmemorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, dated August 20, 2009, requires the\nagency\xe2\x80\x99s IG to report their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for IGs via an\nautomated collection tool.\n\nRichard S. Carson and Associates, Inc. (Carson Associates), performed an independent\nevaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for fiscal\nyear (FY) 2009. This report presents the results of that independent evaluation. Carson\nAssociates also submitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions for IGs via\nOMB\xe2\x80\x99s automated collection tool.\n\nThis report reflects the status of the agency\xe2\x80\x99s information system security program as of the\ncompletion of fieldwork on September 30, 2009.\n\n2          Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2009. The Appendix contains a description of the evaluation scope and\nmethodology.\n\n3          Findings\n\nOver the past 7 years, NRC has continued to make improvements to its information system\nsecurity program and continues to make progress in implementing the recommendations\nresulting from previous FISMA evaluations. In 2007, the Commission approved the\nestablishment of the Computer Security Office (CSO). The new office reports to the Deputy\nExecutive Director for Corporate Management and Chief Information Officer (CIO) and is\nheaded by the Chief Information Security Officer (CISO). The CISO plans, directs, and oversees\nthe implementation of a comprehensive, coordinated, integrated, and cost-effective NRC\ninformation technology (IT) security program, consistent with applicable laws; regulations;\nCommission, Executive Director for Operations, and CIO direction; management initiatives; and\npolicies.\n\n\n2\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n                                                         1\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nThe CSO was established to serve as the focal point for IT security and to provide vision,\nleadership, and oversight in developing, promulgating, and implementing an end-to-end NRC IT\nsecurity strategy. The CSO is divided into three core areas: Cyber Situational Awareness,\nAnalysis, and Response Team; FISMA Compliance and Oversight Team; and Policy, Standards,\nand Training Team. The CSO provides IT security oversight responsibility, coordinates the\noverall agency IT security program, develops policies and procedures, and provides assistance\nwith security reviews, assessments, and plans to those offices requiring it.\n\nThe agency has accomplished the following since the FY 2008 FISMA independent evaluation:\n\n   \xef\x82\xb7   The agency made significant progress in certifying and accrediting its systems. In FY\n       2009, the agency completed certification and accreditation of 12 of the agency\xe2\x80\x99s 22\n       operational systems and 1 of the agency\xe2\x80\x99s 3 contractor systems. As of the completion of\n       fieldwork for FY 2009, all but one of the operational NRC information systems had a\n       current certification and accreditation, and all three of the systems used or operated by a\n       contractor or other organization on behalf of the agency had a current certification and\n       accreditation.\n   \xef\x82\xb7   The agency completed or updated security plans for 19 of the agency\xe2\x80\x99s 22 operational\n       systems and for all 3 contractor systems.\n   \xef\x82\xb7   The agency completed annual security control testing for all agency systems and for all\n       contractor systems.\n   \xef\x82\xb7   The agency completed annual contingency plan testing for all agency systems and for all\n       contractor systems.\n   \xef\x82\xb7   The agency issued several new and updated policies related to the protection of\n       personally identifiable information (PII) including an updated Computer Security\n       Incident Response Policy, an updated PII Breach Notification Policy, an updated\n       Computer Security Information Protection Policy, the Laptop Security Policy, and the\n       Computer Security Policy for Encryption of Data at Rest When Outside of Agency\n       Facilities.\n   \xef\x82\xb7   The agency issued the Agency-wide Rules of Behavior for Authorized Computer Use.\n       The rules of behavior are provided to NRC computer users as part of the annual computer\n       security awareness course, and apply to all NRC employees, contractors, vendors, and\n       agents (users) who have access to any system operated by the NRC or by a contractor or\n       outside entity on behalf of the NRC.\n   \xef\x82\xb7   The agency developed configuration guidance, configuration standards, and standard\n       system security plans for laptops, as well as a new Laptop Security Policy.\n   \xef\x82\xb7   The agency identified all employees with significant IT security responsibilities and\n       developed a plan for ensuring those employees receive appropriate role-based training.\n\nWhile the agency has made significant improvements in its information system security program\nand has made progress in implementing the recommendations resulting from previous FISMA\nevaluations, the independent evaluation identified two information system security program\nweaknesses. One is a repeat finding from the FY 2008 independent evaluation, and the other is a\nrepeat finding from several previous independent evaluations.\n\n\n\n                                                2\n\x0c                                                                                     Independent Evaluation of\n                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n      \xef\x82\xb7   The NRC inventory interface information is still inconsistent (repeat finding).\n      \xef\x82\xb7   The quality of the agency\xe2\x80\x99s plans of action and milestones (POA&M) still needs\n          improvement (repeat finding).\n\nThis report makes one new recommendation to further address the repeat finding concerning the\ninterface information issue. Other recommendations for the repeat findings were made in\nprevious reports.\n\nThe following sections present the detailed findings from the independent evaluation and are\norganized based on the IG section of the OMB FISMA reporting tool. Each major section\ncorresponds to a question or set of questions from the template. Findings are presented in the\nsections to which they are relevant.\n\n3.1       FISMA Systems Inventory (Question 1)\n\n                               OMB Requirement                                            OIG Response\n    1. Identify the number of Agency and Contractor systems reviewed by\n                                                                                     See Table 3-1 below.\n    component and FIPS 199 system impact level (low, moderate, high).\n\n                    Table 3-1. Total Number of Agency and Contractor Systems\n                                       and Number Reviewed\n                                 by FIPS 199 System Impact Level\n                                                                                    Total Number of\n                                                                                    Systems (Agency\n                             Agency Systems            Contractor Systems\n                                                                                     and Contractor\n                                                                                       Systems)\n      FIPS 199 System       Total       Number          Total        Number        Total        Number\n        Impact Level       Number      Reviewed        Number       Reviewed      Number       Reviewed\n            High               8            2             1              0            9             2\n          Moderate            14            1             1              1           15             2\n            Low                0            0             1              0            1             0\n      Not Categorized          0            0             0              0            0             0\n            Total             22            3             3              1           25             4\n\nAs of completion of fieldwork, NRC has 22 operational systems that fall under FISMA reporting\nrequirements.3 Of the 22, 8 are general support systems,4 and 14 are major applications.5 NRC\n\n\n\n3\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n4\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n\n\n                                                      3\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nhas three systems operated by a contractor or other organization on behalf of the agency (one\nmajor application and two general support systems). Of the three, one is operated by a federally\nfunded research and development center, and two are operated by private contractors. As\nrequired by FISMA, Carson Associates selected a subset of NRC systems and contractor systems\nfor evaluation during the FY 2009 FISMA independent evaluation.\n\n3.2       Certification and Accreditation (Question 2a)\n\n                                  OMB Requirement                                              OIG Response\n    2.a. Number of systems reviewed that are certified and accredited\n    (certification and accreditation must be current) by FIPS 199 system                   See Table 3-2 below.\n    impact level.\n\n                   Table 3-2. Total Number of Systems and Number Reviewed\n                                That Are Certified and Accredited\n                               by FIPS 199 System Impact Level6\n             FIPS 199 System                                                 Total            Number\n                                       Agency           Contractor\n               Impact Level                                                 Number           Reviewed\n                    High                   8                  1                 9                 2\n                 Moderate                  13                 1                14                 2\n                    Low                    0                  1                 1                 0\n             Not Categorized               0                  0                 0                 0\n                   Total                   21                 3                24                 4\n\nNRC Has Made Significant Progress in Certifying and Accrediting Its Systems\n\nThe FY 2005, FY 2006, and FY 2007 FISMA independent evaluations found that the majority of\nNRC information systems were not certified and accredited. The lack of certification and\naccreditations for the majority of the agency\xe2\x80\x99s systems was reported as a significant deficiency in\nthe FY 2006 and FY 2007 FISMA independent evaluation reports. In FY 2008, 14 of the 28\noperational NRC information systems and 8 of the 11 systems used or operated by a contractor\nor other organization on behalf of the agency had a current certification and accreditation.\n\nIn FY 2009, the agency completed certification and accreditation of 12 agency systems and 1\ncontractor system. As of the completion of fieldwork for FY 2009, all but one of the operational\nNRC information systems had a current certification and accreditation, and all three of the\nsystems used or operated by a contractor or other organization on behalf of the agency had a\ncurrent certification and accreditation. The only system that was not certified and accredited is\nan aging mainframe system that is in the process of being replaced. Due to system development\nissues, the certification and accreditation of the replacement system is now scheduled for\n5\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n6\n  One agency system is currently not certified and accredited.\n\n\n                                                          4\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\ncompletion by the end of this calendar year. The operational legacy system did undergo annual\nsecurity control testing in FY 2009.\n3.3     Security Controls Testing (Question 2b)\n\n                             OMB Requirement                                      OIG Response\n 2.b. Number of systems reviewed for which security controls have\n been tested and reviewed in the past year by FIPS 199 system impact          See Table 3-3 below.\n level.\n\n              Table 3-3. Total Number of Systems and Number Reviewed\n      for Which Security Controls Have Been Tested and Reviewed in the Past Year\n                           by FIPS 199 System Impact Level\n          FIPS 199 System                                        Total           Number\n                                 Agency        Contractor\n            Impact Level                                        Number          Reviewed\n                High                 8               1             9                 2\n              Moderate              14               1             15                2\n                 Low                 0               1             1                 0\n           Not Categorized           0               0             0                 0\n                Total               22               3             25                4\n\nAnnual Security Control Testing \xe2\x80\x93 Background\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices, to be performed with a frequency depending on risk,\nbut no less than annually. Such testing shall include testing of management, operational, and\ntechnical controls of every information system identified in the inventory required by FISMA.\n\nSecurity assessments are conducted to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the system. To satisfy the annual FISMA assessment\nrequirement, organizations can draw upon the security control assessment results from any of the\nfollowing sources, including but not limited to: (1) security certifications conducted as part of an\ninformation system accreditation or reaccreditation process, (2) continuous monitoring activities,\nor (3) testing and evaluation of the information system as part of the ongoing system\ndevelopment life cycle process (provided that the testing and evaluation results are current and\nrelevant to the determination of security control effectiveness). Existing security assessment\nresults are reused to the extent that they are still valid and are supplemented with additional\nassessments as needed. OMB does not require an annual assessment of all security controls\nemployed in an organizational information system. In accordance with OMB policy,\norganizations must annually assess a subset of the security controls based on: (1) the FIPS 199\nsecurity categorization of the information system, (2) the specific security controls selected and\nemployed by the organization to protect the information system, and (3) the level of assurance\n(or confidence) that the organization must have in determining the effectiveness of the security\n\n\n                                                 5\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\ncontrols in the information system. It is expected that the organization will assess all of the\nsecurity controls in the information system during the 3-year accreditation cycle. The\norganization can use the current year\xe2\x80\x99s assessment results obtained during security certification\nto meet the annual FISMA assessment requirement.\n\nThe FY 2009 FISMA guidance stated that agencies are required to use FIPS 200, Minimum\nSecurity Requirements for Federal Information and Information Systems, and National Institute\nof Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security\nControls for Federal Information Systems, for the specification of security controls and NIST SP\n800-37 and SP 800-53A, Guide for Assessing the Security Controls in Federal Information\nSystems, for the assessment of security control effectiveness.\n\nThe agency CIO issued a memorandum in January 2009 requiring system owners to complete\nannual contingency plan testing and annual security controls testing of all major applications and\ngeneral support systems. System owners were required to prepare a schedule of planned\ncontingency plan testing and annual security controls testing, with a completion date that does\nnot exceed one year from the last time such testing was performed. Systems that were\nauthorized to operate within the past fiscal year have already had their security controls tested\nand, therefore, do not require additional annual security control testing. The CSO identified a set\nof 48 core controls that must be assessed annually for all systems. System owners were required\nto select additional controls with an emphasis on controls associated with POA&M items that\nhave been closed within the past year, with additional controls selected from the Access Control,\nConfiguration Management, Contingency Planning, Incident Response, System Maintenance,\nand System and Services Acquisition control families. System owners were also required to\nselect a subset of controls from the system\xe2\x80\x99s security plan that have not been assessed since the\nauthority to operate was granted to the system or since the last annual security control testing\nwas performed.\n\nNRC Has Completed Annual Security Control Testing for All Agency Systems and for All\nContractor Systems\n\nTwelve of the agency\xe2\x80\x99s 22 operational systems and 1 of the agency\xe2\x80\x99s 3 contractor systems were\nauthorized to operate in the past fiscal year and, therefore, did not require additional annual\nsecurity control testing. The remaining 10 agency systems and 2 contractor systems required\nannual security control testing. As of the completion of fieldwork for FY 2009, annual security\ncontrol testing was completed for the 10 agency systems and the 1 contractor system that\nrequired annual security control testing. In addition, while not required, the agency performed\nannual security control testing on two of the agency\xe2\x80\x99s operational systems that were authorized\nto operate in the past fiscal year.\n\n\n\n\n                                                 6\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n3.4    Contingency Plan Testing (Question 2c)\n\n                            OMB Requirement                                      OIG Response\n 2.c. Number of systems reviewed for which contingency plans have\n                                                                        See Table 3-4 below.\n been tested in accordance with policy by FIPS 199 system impact level.\n\n               Table 3-4. Total Number of Systems and Number Reviewed\n        for Which Contingency Plans Have Been Tested in Accordance With Policy\n                            by FIPS 199 System Impact Level\n          FIPS 199 System                                       Total           Number\n                                 Agency       Contractor\n            Impact Level                                       Number          Reviewed\n                High                8               1             9                 2\n              Moderate             14               1             15                2\n                Low                 0               1             1                 0\n          Not Categorized           0               0             0                 0\n                Total              22               3             25                4\n\nContingency Plan Testing \xe2\x80\x93 Background\n\nFISMA requires agencies to develop plans and procedures to ensure continuity of operations for\ninformation systems that support the operations and assets of the agency. NIST SP 800-34,\nContingency Planning Guide for Information Technology Systems, states that contingency plans\nshould be tested at least annually and when significant changes are made to the information\nsystem, supported business process(es), or the contingency plan. Management Directive (MD)\nand Handbook 12.5, NRC Automated Information Security Program, states that the NRC shall\ncomply with the NIST guidance to include guidance related to the preparation of security\ndocumentation (such as system security plans, IT risk assessments, and IT contingency plans)\nand other applicable NIST automated information security guidance for IT security processes,\nprocedures, and testing. MD 12.5 also states that IT contingency plans for major applications\nand general support systems shall be tested each year. A live test provides the best indication of\nthe adequacy of a contingency plan test. If a live test cannot be conducted due to operational\nconstraints, a simulated test may be conducted in lieu of the live test. NRC Information Systems\nSecurity (ISS) and Office of Information Services (OIS) procedures also require annual\ncontingency plan testing for all major applications and general support systems, including\ngenerating a contingency plan test report.\n\nAnnual Contingency Plan Testing Was Completed for All Agency Systems and All\nContractor Systems\n\nThe agency CIO issued a memorandum in January 2009 requiring system owners to complete\nannual contingency plan testing and annual security controls testing of all major applications and\ngeneral support systems. System owners were required to prepare a schedule of planned\ncontingency plan testing and annual security controls testing, with a completion date that does\nnot exceed 1 year from the last time such testing was performed.\n\n\n                                                7\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\nAs of the completion of fieldwork for FY 2009, contingency plan testing7 was completed for all\n22 operational NRC information systems and for all 3 contractor systems. In addition, all 22\noperational NRC information systems and all 3 contractor systems have current contingency\nplans.\n\n3.5       Evaluation of Agency Oversight of Contractor Systems (Question 3a)\n\n                                 OMB Requirement                                               OIG Response\n    3.a. Does the Agency have policies for oversight of contractors?                       Yes\n         3.a(1). Is the policy implemented?                                                Yes\n\nOversight of Contractor Systems \xe2\x80\x93 Background\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency or (2) information systems used or operated by an agency or by a contractor of an agency\nor other organization on behalf of an agency.8\n\nNRC defines two types of systems that are operated by a contractor or other organization on\nbehalf of NRC \xe2\x80\x93 contractor systems and e-Government systems. A contractor system is a system\nthat processes NRC information and is operated and maintained by a contractor, and an\ne-Government system is a system that processes NRC information and is operated and\nmaintained by another Federal agency.\n\nThe agency follows the same policies, procedures, and guidance in MD and Handbook 12.5 for\ncontractor systems as it does for agency systems. All contractor systems must be certified and\naccredited prior to processing any sensitive NRC information or connecting to the NRC\ninfrastructure and must undergo annual security control testing and annual contingency plan\ntesting. Contractor systems are also required to undergo recertification and re-accreditation per\nNRC policy.\n\nFor e-Government systems, the agency requires the responsible NRC system owner to\ndemonstrate those systems meet FISMA requirements by providing proof of authority to operate,\nannual security control testing, and annual contingency plan testing. The agency also requires a\nprivacy impact assessment and a security categorization for all e-Government systems. The\nagency may also require service level agreements or memoranda of understanding/agreement\nwith those agencies.\n\n\n\n7\n  Any testing performed between September 1, 2008, and the completion of fieldwork would be considered as FY\n  2009 test results.\n8\n  Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n  refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n                                                          8\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nIn addition to three contractor systems, NRC has seven e-Government systems, all considered to\nbe major applications. Oversight of these systems is the responsibility of the Federal agencies\noperating the systems.\n\nAgency Oversight of Contractor Systems Meets FISMA Requirements\n\nAs of the completion of fieldwork for FY 2009, all three contractor systems for which NRC has\ndirect oversight had a current certification and accreditation. One was authorized to operate in\nFY 2009 and did not require additional annual security control testing. The other two had their\nsecurity controls tested and reviewed in the past year. All three have completed annual\ncontingency plan testing.\n\n3.6    Evaluation of Quality of Agency System Inventory (Questions 3b-3g)\n\n                           OMB Requirement                                       OIG Response\n 3.b. Does the Agency have a materially correct inventory of major\n information systems (including national security systems) operated by     Yes\n or under the control of such Agency?\n 3.c. Does the Agency maintain an inventory of interfaces between the\n Agency systems and all other systems, such as those not operated by       Yes\n or under the control of the Agency?\n 3.d. Does the Agency require agreements for interfaces between\n systems it owns or operates and other systems not operated by or          Yes\n under the control of the Agency?\n 3.e. The Agency inventory is maintained and updated at least\n                                                                           Yes\n annually.\n 3.f. The IG generally agrees with the CIO on the number of Agency-\n                                                                           Yes\n owned systems.\n 3.g. The IG generally agrees with the CIO on the number of\n information systems used or operated by a contractor of the Agency or     Yes\n other organization on behalf of the Agency.\n\nAgency System Inventory \xe2\x80\x93 Background\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory must be updated at least annually\nand must also be used to support information resources management.\n\nMD and Handbook 12.5 also define requirements for the agency\xe2\x80\x99s inventory of automated\ninformation systems. The agency\xe2\x80\x99s inventory must identify all interfaces between each system\nand all other systems and networks, including those not operated by or under the control of the\nagency. MD and Handbook 12.5 also require the agency CIO to establish procedures for\n\n\n\n                                                9\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\ninterconnection of any IT device or system with the NRC IT infrastructure systems. It also\nspecifies requirements for connections to the NRC network infrastructure. Written management\nauthorization is required before establishing a connection between the NRC IT infrastructure and\nanother system that is not NRC controlled. Connections to other Government-owned systems\nalso may require the establishment of a memorandum of understanding (MOU).\n\nThe agency\xe2\x80\x99s certification and accreditation process includes tasks, guidelines, and procedures\nfor completing interconnecting security agreements. Two of the work breakdown elements are\nto establish agreements for needed interfaces and define interface specifications. Interconnection\nsecurity agreements (ISA) and MOUs are required artifacts for inclusion in a certification and\naccreditation package (if applicable). The agency has developed procedures for creating ISAs\nand MOUs and has developed standard templates for these documents.\n\nTo address findings from previous independent evaluations regarding the agency\xe2\x80\x99s inventory, the\nagency developed an automated inventory system, the NRC System Information Control\nDatabase (NSICD), to house the inventory of automated information systems. The agency\ninventory is maintained and updated at least annually. The agency issues data calls twice a year,\ntypically in January and August. Data call packages include an explanation of the data fields\nfound on the data call inventory sheets and instructions on how to verify and enter the data. The\nagency also developed several procedures and guides to assist NRC offices with the data calls\nand to assist the agency in maintaining the inventory data in the new system.\n\nFINDING A \xe2\x80\x93 The NRC Inventory Interface Information Is Still Inconsistent (Repeat\nFinding)\n\nThe FY 2008 FISMA independent evaluation found that very little interface information was\nincluded in NSICD and that the interface information in NSICD was inconsistent with the\ninterface information included in system security plans. In response to recommendations from\nthe FY 2008 independent evaluation, the agency updated NSICD to include interface information\nfor all systems in the NRC inventory. The agency also developed a guide for the CSO\xe2\x80\x99s\nadministrative staff for entering data into security records within NSICD to ensure interface\ninformation is consistent with interface information in security plans and risk assessments.\n\nCarson Associates reviewed security plans, risk assessments, and other IT security\ndocumentation for the majority (19 of 25) of NRC and contractor systems to identify the\ninterfaces for those systems. Carson Associates then reviewed the records for those systems in\nNSICD to determine if the agency\xe2\x80\x99s inventory included the interfaces identified in the IT security\ndocumentation. Carson Associates also analyzed the interface information in NSICD for\nconsistency within the inventory. For example, if system 1 listed interfaces with systems 2, 3,\nand 4, then those systems should also list an interface with system 1.\n\nCarson Associates found that the majority of the interface information for 19 of 25 systems was\ninconsistent with information found in IT security documentation, as well as with interface\ninformation within NSICD. While there is more interface information in NSICD than was found\nduring the FY 2008 independent evaluation, the information is still incomplete and inconsistent.\n\n\n\n\n                                                10\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nThe guide that the agency developed for the CSO\xe2\x80\x99s administrative staff includes guidance on\nentering interface information into NSICD. However, it suggests obtaining this information\nfrom either the system\xe2\x80\x99s security categorization or risk assessment. These documents are not\nupdated on a periodic basis, so the interface information found in these documents may not be\ncurrent. Carson Associates also found that some of the security plans, which are required to be\nupdated at least annually, did not include interface details, but referred the reader to other\ndocuments, which in some cases were not as current as the security plans. As a result, the\ninterface information obtained from the security categorizations, risk assessments, and some\nsecurity plans did not reflect the actual interfaces for the system.\n\nOn October 9, 2009, the agency reported the recommendations 1 and 2 from the FY 2008\nFISMA independent evaluation as closed. Recommendation 1 should remain open until the\nagency corrects the inconsistencies that still exist in the inventory information in NSICD.\nRecommendation 2 should also remain open until the procedures developed to ensure interface\ninformation in NSICD is consistent with interface information in security plans and risk\nassessments are further refined. The IG suggests that the agency add additional guidance to the\nprocedures on where to find current interface information, as well as how to ensure interface\ninformation remains consistent within NSICD.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Develop and implement procedures to ensure interface information is kept up-to-date.\n\n3.7      Evaluation of Agency POA&M Process (Question 4)\n\n                             OMB Requirement                                      OIG Response\n 4.a. Has the Agency developed and documented an adequate policy\n that establishes a POA&M process for reporting IT security                 Yes\n deficiencies and tracking the status of remediation efforts?\n        4.a(1). Has the Agency fully implemented the policy?                No\n 4.b. Is the Agency currently managing and operating a POA&M\n                                                                            Yes\n process?\n 4.c. Is the Agency\xe2\x80\x99s POA&M process an Agency-wide process,\n incorporating all known IT security weaknesses, including IG/external\n audit findings associated with information systems used or operated        No\n by the Agency or by a contractor of the Agency or other organization\n on behalf of the Agency?\n 4.d. Does the POA&M process prioritize IT security weaknesses to\n help ensure significant IT security weaknesses are corrected in a          No\n timely manner and receive appropriate resources?\n\n\n\n\n                                                11\n\x0c                                                                                       Independent Evaluation of\n                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n                                 OMB Requirement                                            OIG Response\n    4.e. When an IT security weakness is identified, do program officials\n    (including CIOs, if they own or operate a system) develop, implement,             Yes\n    and manage POA&Ms for their system(s)?\n    4.f. For Systems Reviewed:\n          4.f(1). Are deficiencies tracked and remediated in a timely\n                                                                                      No\n          manner?\n          4.f(2). Are the remediation plans effective for correcting the\n                                                                                      Yes\n          security weaknesses?\n          4.f(3). Are the estimated dates for remediation reasonable and\n                                                                                      No\n          adhered to?\n    4.g. Do program officials and contractors report their progress on\n    security weakness remediation to the CIO on a regular basis (at least             Yes\n    quarterly)?\n    4.h. Does the Agency CIO centrally track, maintain, and\n    independently review/validate POA&M activities on at least a                      Yes\n    quarterly basis?\n\nAgency POA&M Process \xe2\x80\x93 Background\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes a process for planning, implementing, evaluating, and\ndocumenting remedial action to address any deficiencies in the information security policies,\nprocedures, and practices of the agency. MD and Handbook 12.5 requires system\nowners/sponsors to ensure that a POA&M is developed, implemented, and maintained to track\nthe major weaknesses that have been identified for office-sponsored information systems. Each\noffice shall regularly update the CIO on its progress in correcting system weaknesses to enable\nthe CIO to provide the agency\xe2\x80\x99s quarterly FISMA update report to OMB.\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms required by OMB to track (1)\ncorrective actions from the OIG annual independent evaluation; (2) corrective actions from the\nagency\xe2\x80\x99s annual review; and (3) recurring FISMA and IT security action items, such as annual\nsecurity control assessments and annual contingency plan testing. The POA&Ms may also\ninclude corrective actions resulting from other security studies conducted by or on behalf of\nNRC.\n\nThe more specific corrective actions associated with the certification and accreditation process\n(e.g., corrective actions resulting from risk assessments and security control testing) are tracked\nin Rational\xc2\xae ClearQuest\xc2\xae9 as change requests using the project management methodology\nprocess for change management. All certification and accreditation corrective actions arising\n\n9\n    Rational ClearQuest is an IBM software package used for software change management.\n\n\n                                                        12\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nfrom the security control testing process and from vulnerability scans are imported into Rational\nClearQuest. A corrective action plan is generated directly from Rational ClearQuest. System\nowners are responsible for remediation of each corrective action within the timeframes specified\nin the corrective action plan using the project management methodology process for change\nrequests.\n\nThe agency has developed a process for requesting quarterly POA&M updates from system\nowners, compiling the data into a consolidated source, reviewing it for accuracy, rolling up the\ninformation, and reporting it to OMB. Five weeks prior to the quarterly submittal to OMB, the\nagency sends out a data call to the offices asking them to update the current POA&Ms for their\nsystems and add new weaknesses to the POA&Ms. Three weeks prior to the quarterly submittal\nto OMB, the agency receives the updated POA&M data from the system owners and enters the\ndata into NSICD. The agency also adds any new weaknesses identified from various sources\nincluding OIS recommendations and system certification artifacts. The agency provides\ninstructions on providing the quarterly updates to the POA&M and specifies that data in only\nfour fields on the POA&M should be changed: resources, brief description of work/services\nrequired, changes to milestones, and status.\n\nThe FY 2007 and FY 2008 FISMA independent evaluations found that the quality of the\nagency\xe2\x80\x99s POA&Ms needed improvement. Specifically, Carson Associates found that (1) the\nmetrics submitted to OMB often deviated from the actual POA&Ms, and (2) the agency is not\nalways following OMB and internal NRC POA&M guidance. Carson Associates also found that\nthe agency is closing weaknesses without sufficient evidence from the system owner. As a result\nof recommendations from the FY 2007 FISMA independent evaluation, the agency has been\nworking on automating the POA&M process and is currently using NSICD to store, process, and\ngenerate the POA&Ms. Subsequent to the FY 2007 FISMA independent evaluation, the agency\nbegan analyzing a variety of tools to automate the POA&M process. In 2008, the agency\nacquired the Environmental Protection Agency\xe2\x80\x99s FISMA reporting solution, the Automated\nSystem Security Evaluation and Remediation Tracking system, to further automate the POA&M\nand continuous monitoring processes. However, the agency identified some problems with the\ntool, and after six months of research and evaluation the CSO picked Xacta, which was recently\npurchased, as the agency\xe2\x80\x99s tool for automating the POA&Ms.\n\nThe agency has also developed draft POA&M procedures to ensure quality assurance is\nemphasized. The draft procedures include a process for conducting independent verification and\nvalidation of POA&Ms to assure their adequacy as part of the security assessment review\nprocess. Additionally, CSO has acquired additional contract support to assist in establishing a\ncompliance review process in which CSO will review security documentation, conduct\nvulnerability scanning, and meet with each system owner on an annual basis to verify the status\nof remediation efforts, assess the comprehensiveness of planned corrective actions, and validate\nthe accuracy of tasks, responsibilities, and milestones for each outstanding weakness. These\nactivities will take place quarterly targeting approximately 25 percent of the overall number of\nPOA&Ms. Implementation of this process was scheduled for the third quarter of FY 2009, and\nthe CSO plans to start meeting with the system owners in the first quarter of FY 2010.\n\n\n\n\n                                                13\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nThe agency\xe2\x80\x99s new POA&M procedures also require corrective actions to be ranked based upon\non the most critical security weaknesses and their impact on the agency\xe2\x80\x99s mission. This ranking\nshould be reflected in the POA&M by listing identified weaknesses in priority order, irrespective\nof the weakness ID (which is sequentially derived). The procedures state that the overall severity\nof the weakness should be considered in conjunction with the system risk impact level when\nprioritizing the mitigation of weaknesses. Weakness severity is the potential magnitude of loss\nthat could result from weakness exploitation. The POA&M includes a weakness severity (called\nrisk level) column that can be used to prioritize security weaknesses. However, the agency has\nnot implemented the process described above for prioritizing security weaknesses.\n\nFINDING B \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Still Needs Improvement (Repeat\nFinding)\n\nAs in previous independent evaluations, Carson Associates found that the quality of the agency\xe2\x80\x99s\nPOA&Ms still needs improvement. In assessing the agency\xe2\x80\x99s POA&M process, Carson\nAssociates found that (1) the POA&M does not always include known IT security weaknesses,\n(2) deficiencies are not always remediated in a timely manner, and (3) estimated dates for\nremediation are not always adhered to.\n\nIn addition, Carson Associates found that the following problems identified with the POA&Ms\nin FY 2007 and FY 2008 still persist: (1) the metrics submitted to OMB often deviated from the\nactual POA&Ms, (2) the agency is not always following OMB and internal NRC POA&M\nguidance, and (3) the agency is closing weaknesses without sufficient evidence from the system\nowner.\n\nThe POA&M Does Not Always Include Known IT Security Weaknesses\n\nThe POA&M process is an agencywide process, but does not always include known IT security\nweaknesses from IG audits. The new agency POA&M procedures require new weaknesses to be\nadded to the POA&M within 10 days of discovery. Carson Associates identified five OIG\nreports issued since May 2008 that identified IT security weaknesses. However, those\nweaknesses were not added to the POA&M until more than 6 months after the reports were\nissued. For example, the weaknesses from the FY 2008 FISMA independent evaluation were not\nadded to the POA&M until the 4th Quarter FY 2009. In addition, the weaknesses for each report\nwere added as one item on the POA&M for each report, instead of separate POA&M items for\neach weakness. Carson Associates also determined that none of the recommendations from the\nFY 2009 contingency plan testing, and not all of the weaknesses identified during the FY 2009\nannual security control testing have been added to the POA&M.\n\nDeficiencies Are Not Always Remediated in a Timely Manner\n\nCarson Associates analyzed the POA&Ms for the four systems selected for evaluation in FY\n2009 in order to characterize the timeliness of weakness remediation. Three of the four systems\nhad at least one weakness that was closed more than 9 months after the scheduled completion\ndate. One system had more than 25 percent of its closed weaknesses overdue by more than 9\nmonths and 3 weaknesses that were closed over a year after their scheduled completion dates.\n\n\n\n                                                14\n\x0c                                                                                     Independent Evaluation of\n                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nEstimated Dates for Remediation Are Not Always Adhered To\n\nCarson Associates analyzed the POA&Ms for the four systems selected for evaluation in FY\n2009 in order to determine if estimated remediation dates are adhered to. Three of the four\nsystems have more than half of their open weaknesses more than 5 months overdue. One system\nhas more than half of its open weaknesses overdue by more than 9 months.\n\nMetrics Submitted to OMB Deviate From the Actual POA&Ms\n\nAs in previous independent evaluations, Carson Associates found discrepancies between the\nmetrics submitted to OMB and the actual POA&Ms. The most common errors causing the\ndiscrepancies are:\n\n       \xef\x82\xb7   Counting weaknesses as closed in more than one quarter.\n       \xef\x82\xb7   Counting weaknesses as closed when they have not been closed by the OIG.\n       \xef\x82\xb7   Not counting weaknesses as closed when they have been closed by the OIG prior to the\n           cutoff date for POA&M reporting.\n       \xef\x82\xb7   Reporting weaknesses as on track when they are actually delayed.\n       \xef\x82\xb7   Reporting weaknesses as delayed when they are still on track.\n\nThe Agency Is Not Always Following OMB and NRC Internal POA&M Guidance\n\nAs in previous FISMA evaluations, Carson Associates also found that the agency is not always\nfollowing OMB\xe2\x80\x99s POA&M guidance. The agency is also not following NRC internal POA&M\nguidance. The following are some examples of deviations from OMB and NRC internal\nPOA&M guidance found on the POA&Ms that were analyzed.\n\n       \xef\x82\xb7   Weaknesses with completion dates over a year old are not always removed from the\n           POA&Ms. OMB guidance10 states that weaknesses that are no longer undergoing\n           correction and have been completely mitigated for over a year should no longer be\n           reported in the agency POA&M.\n       \xef\x82\xb7   Weaknesses with changes made to scheduled completion dates. OMB guidance states\n           that once an agency has completed the initial POA&M, no changes should be made to the\n           scheduled completion date.\n       \xef\x82\xb7   Weaknesses without scheduled completion dates. Several POA&M items added to the 1st\n           Quarter FY 2009 POA&M and the 4th Quarter FY 2009 POA&M did not have scheduled\n           completion dates.\n       \xef\x82\xb7   Multiple weaknesses added under one POA&M item. Carson Associates identified five\n           OIG reports issued since May 2008 that identified IT security weaknesses. The\n           weaknesses for each report were added as one item on the POA&M for each report,\n           instead of separate POA&M items for each weakness.\n\n\n10\n     OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\n     Act.\n\n\n                                                      15\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n      \xef\x82\xb7   Weaknesses not properly marked to indicate they were closed in a previous quarter, but\n          are being reported as closed in a later quarter (NRC requirement).\n\nThe Agency Continues to Close Weaknesses Without Sufficient Evidence from the\nSystem Owners\n\nAs in the FY 2008 FISMA independent evaluation, Carson Associates found that the agency is\nsometimes closing weaknesses without sufficient evidence from the system owners. During our\nanalysis of weaknesses identified during the FY 2009 annual security control testing, we found\nmany instances where weaknesses that had been previously closed were still found to be present.\nIn some instances, the weaknesses were added back to the POA&M with the FY 2009 annual\nsecurity control testing results.\n\nNRC Progress in Correcting Weaknesses Reported on Its POA&Ms Is Not Improving\n\nThe agency progress in correcting weaknesses reported on its POA&Ms is not improving. In FY\n2007 the agency corrected 35 percent of its program level weaknesses and just over 23 percent of\nits system level weaknesses. In FY 2008 (quarters 1, 2, and 3), the agency corrected just over 45\npercent of its program level weaknesses and just over 43 percent of its system level weaknesses,\nwhich was somewhat of an improvement. However, in FY 2009 (FY 2008 4th quarter, and FY\n2009 all quarters), the agency corrected only 30 percent of its program level weaknesses and just\nover 40 percent of its system level weaknesses, which is less than in FY 2008.\n\nRECOMMENDATION\n\nThe issue with the quality of the agency\xe2\x80\x99s POA&Ms is a repeat finding from the FY 2007 and\nFY 2008 FISMA independent evaluations. The recommendation from the FY 2007 FISMA\nindependent evaluation is still open, as the agency has not completed all of their planned\nremediation activities. Therefore the OIG is not issuing a new recommendation for addressing\nthis weakness.\n\n3.8       IG Assessment of the Certification and Accreditation Process (Question 5)\n\n                               OMB Requirement                                     OIG Response\n 5.a. Has the Agency developed and documented an adequate policy\n for establishing a certification and accreditation process that follows     Yes\n the NIST framework?\n 5.b. Is the Agency currently managing and operating a certification\n                                                                             Yes\n and accreditation process in compliance with its policies?\n 5.c. For Systems reviewed, does the certification and accreditation\n process adequately provide:\n          5.c(1). Appropriate risk categories                                Yes\n          5.c(2). Adequate risk assessments                                  Yes\n          5.c(3). Selection of appropriate controls                          Yes\n\n\n\n                                                      16\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n                                  OMB Requirement                                                  OIG Response\n        5.c(4). Adequate testing of controls                                                 Yes\n        5.c(5). Regular monitoring of system risks and the adequacy of\n                                                                                             Yes\n        controls\n 5.d. For systems reviewed, is the Authorizing Official presented with\n complete and reliable certification and accreditation information to\n                                                                                             Yes\n facilitate an informed system Authorization to Operate decision based\n on risks and controls implemented?\n\nCertification and Accreditation \xe2\x80\x93 Background\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Information systems under development must be certified and\naccredited prior to becoming operational. Operational information systems must be recertified\nand re-accredited every 3 years in accordance with Federal policy11 and whenever there is a\nsignificant change12 to the information system or its operational environment.\n\nThe following diagram13 illustrates the key activities, including certification and accreditation, in\nmanaging enterprise-level risk, i.e., risk resulting from the operation of an information system.\nAs illustrated in the diagram, NIST has developed several standards and guidelines to support the\nmanagement of enterprise risk. NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, provides guidelines for certification and\naccreditation.\n\n\n\n\n11\n    OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal\n   Automated Information Resources.\n12\n    Examples of significant changes to an information system that should be reviewed for possible re-accreditation\n   include (1) installation of a new or upgraded operating system, middleware component, or application; (2)\n   modifications to system ports, protocols, or services; (3) installation of a new or upgraded hardware platform or\n   firmware component; and (4) modifications to cryptographic modules or services. Changes in laws, directives,\n   policies, or regulations, while not always directly related to the information system, can also potentially affect the\n   system security and trigger a re-accreditation action.\n13\n    The diagram was adapted from a diagram found in the NIST presentation \xe2\x80\x9cBuilding More Secure Information\n   Systems: A Strategy for Effectively Applying the Provisions of FISMA,\xe2\x80\x9d dated July 29, 2005\n   (http://csrc.nist.gov/sec-cert/PPT/fisma-overview-July29-2005.ppt).\n\n\n                                                            17\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls14 that are planned or in place in an information system to determine\nthe extent to which the controls are (1) implemented correctly, (2) operating as intended, and (3)\nproducing the desired outcome with respect to meeting the security requirements for the\ninformation system. The results of a security certification are used to reassess the risks and\nupdate the system security plan, thus, providing the factual basis for an authorizing official15 to\nrender a security accreditation decision. Security certification can include a variety of\nassessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and\nanalyzing) and associated assessment procedures depending on the depth and breadth of\nassessment required by the agency.\n\nSecurity accreditation is the official management decision given by a senior agency official to\n(1) authorize operation of an information system and (2) explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\nfor the information system\xe2\x80\x99s security.\n\n\n\n\n14\n   Management controls are the safeguards or countermeasures that focus on the management of risk and the\n   management of information system security. Operational controls are the safeguards or countermeasures that\n   primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards\n   or countermeasures that are primarily implemented and executed by the information system through mechanisms\n   contained in the hardware, software, or firmware components of the system.\n15\n   The agency refers to the authorizing official as the designated approving authority.\n\n\n                                                        18\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nThere are three types of accreditation decisions that can be rendered by authorizing officials: (1)\nauthorization to operate, (2) interim authorization to operate (IATO), and (3) denial of\nauthorization to operate.\n\n   \xef\x82\xb7   Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is acceptable.\n   \xef\x82\xb7   Interim Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is unacceptable, but there is an overarching mission necessity to\n       place the information system into operation or continue its operation. An IATO is\n       rendered when the security vulnerabilities identified in the information system (resulting\n       from deficiencies in the planned or implemented security controls) are significant but can\n       be addressed in a timely manner. An IATO provides a limited authorization to operate\n       the information system under specific terms and conditions and acknowledges greater\n       risk to the agency for a specified period of time. In accordance with OMB policy, an\n       information system is not accredited during the period of limited authorization to operate.\n       The duration established for an IATO should be commensurate with the risk to agency\n       operations, agency assets, or individuals associated with the operation of the information\n       system. When the security-related deficiencies have been adequately addressed, the\n       IATO should be lifted and the information system authorized to operate.\n   \xef\x82\xb7   Denial of Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is unacceptable. The information system is not accredited and\n       should not be placed into operation. If the information system is currently operational, all\n       activity should be halted.\n\nThe NRC Certification and Accreditation Process Follows the NIST Framework\n\nIn order to evaluate the agency\xe2\x80\x99s certification and accreditation process, Carson Associates\nreviewed the certification and accreditation process and procedures located on the agency\xe2\x80\x99s\nproject management methodology Web site, and reviewed accreditation decision memoranda\nissued by the agency\xe2\x80\x99s authorizing official. NRC\xe2\x80\x99s certification and accreditation process is\ndocumented on their Project Management Methodology (PMM) Web site and is part of the\nagency\xe2\x80\x99s ISS program. The objectives of the ISS Program are to:\n\n   \xef\x82\xb7   Implement appropriate security measures to protect NRC information and information\n       systems.\n   \xef\x82\xb7   Ensure that security measures provide the appropriate level of protection and reliable\n       access to NRC information and information systems by authorized individuals, and only\n       by authorized individuals, and operate as intended.\n   \xef\x82\xb7   Ensure that senior agency officials exercise due diligence over information security for\n       the information and information systems that support the operations and assets under\n       their control.\n\n\n\n\n                                                 19\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nThe PMM Web site includes workflows for the authority to operate process and the continuous\nmonitoring process. Each workflow includes a work breakdown structure, team allocations, and\nwork product usage information. The PMM Web site includes templates for all required\ncertification and accreditation artifacts. The PMM Web site also includes guidance on the use of\ncommon and inheritable controls.\n\nNRC Is Managing and Operating a Certification and Accreditation Process In Compliance\nWith Its Policies\n\nTo determine if the agency is managing and operating a certification and accreditation process in\ncompliance with its policies, we reviewed the certification and accreditation documents for the\nfour systems selected for evaluation during the FY 2009 independent evaluation. We also\nreviewed the agency\xe2\x80\x99s continuous monitoring process, including the requirement for annual\nsecurity control testing, annual contingency plan testing, and annual security plan updates.\nCarson Associates found that the certification and accreditation documents for the four systems\nselected for evaluation were in compliance with agency policy, with a few minor deviations.\nThe agency has been provided detailed information on any deviations from policy that were\nidentified. Based on certification and accreditation documents that were reviewed, Carson\nAssociates determined that the NRC certification and accreditation process adequately provides:\n\n      \xef\x82\xb7   Appropriate risk categories.\n      \xef\x82\xb7   Adequate risk assessments.\n      \xef\x82\xb7   Selection of appropriate controls.\n      \xef\x82\xb7   Adequate testing of controls.\n      \xef\x82\xb7   Regular monitoring of system risk and the adequacy of controls.\n\nCarson Associates also determined that for the four systems selected for evaluation, the\nAuthorizing Official was presented with complete and reliable certification and accreditation\ninformation to facilitate an informed Authorization to Operate decision based on risks and\ncontrols implemented.\n\n3.9       IG Assessment of Agency Privacy Program and Privacy Impact\n          Assessment (PIA) Process (Question 6)\n\n                             OMB Requirement                                      OIG Response\n 6.a. Has the Agency developed and documented adequate policies\n that comply with OMB guidance in M-07-16, M-06-15, and M-06-16             Yes\n for safeguarding privacy-related information?\n 6.b. Is the Agency currently managing and operating a privacy\n                                                                            Yes\n program with appropriate controls in compliance with its policies?\n 6.c. Has the Agency developed and documented an adequate policy\n                                                                            Yes\n for PIAs?\n\n\n\n\n                                                 20\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n                            OMB Requirement                                       OIG Response\n 6.d. Has the Agency fully implemented the policy and is the Agency\n currently managing and operating a process for performing adequate         Yes\n PIAs?\n\nPolicies That Comply With OMB Guidance in M-07-16, M-06-15, and M-06-16 Exist\n\nOn March 20, 2009, the OIS Director reported on the agency\xe2\x80\x99s progress in reducing the risks\nrelated to the breach of PII to the Commission. For example, since 2006, nine yellow\nannouncements have been issued implementing the OMB guidance. In addition, the staff has\nreviewed all agency forms, removed the unnecessary collections of PII, and revised the forms as\nappropriate. The staff has also developed a contract clause for protecting PII that may be\nprovided, collected, used, possessed, or processed in the course of performing work under an\nNRC contract. The memorandum included as an attachment a comprehensive progress report on\nall of the actions taken by the staff and the actions still to be completed. The following are some\nof the actions taken by the agency to protect PII.\n\nThe following agency policies, procedures, and guidance have been developed and documented\nin compliance with OMB M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information:\n\n   \xef\x82\xb7   Yellow Announcement YA-08-0093, Information Technology Implementation Policy \xe2\x80\x93\n       Updated Computer Security Incident Response and PII Incident Response, July 3, 2008:\n       Announced revised computer security incident policy to include direction for responding\n       to PII incidents.\n   \xef\x82\xb7   Computer Security Incident Response Policy, July 3, 2008.\n   \xef\x82\xb7   Yellow Announcement YA-07-0106, Safeguarding Against and Responding to the\n       Breach of PII, September 19, 2007: Distributed OMB M-07-16 to all NRC employees,\n       and announced publication of the NRC PII Breach Notification Policy and the NRC Plan\n       to Eliminate the Unnecessary Collection and Use of Social Security Numbers (SSNs).\n   \xef\x82\xb7   PII Breach Notification Policy, September 19, 2007, updated February 9, 2009, to\n       include credit monitoring services under certain circumstances to individuals whose PII\n       has been unintentionally breached by NRC.\n   \xef\x82\xb7   Yellow Announcement YA-07-0096, Guidance for Periodic Review of Agency Network\n       Drives for the Presence of PII, September 6, 2007: The NRC will review all agency-\n       shared drives for the purpose of identifying and eliminating PII at least annually. The FY\n       2008 review was completed September 19, 2008.\n   \xef\x82\xb7   Plan to Eliminate the Unnecessary Collection and Use of SSNs, September 19, 2007. A\n       progress update was issued September 19, 2008.\n   \xef\x82\xb7   Electronic PII is discussed in the U.S. NRC Agency-wide Rules of Behavior for\n       Authorized Computer Use, May 19, 2009. The rules of behavior are provided to NRC\n       computer users as part of the annual computer security awareness course and apply to all\n       NRC employees, contractors, vendors, and agents (users) who have access to any system\n       operated by the NRC or by a contractor or outside entity on behalf of the NRC. Violation\n\n\n                                                21\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n       of these rules will be reported to the user\xe2\x80\x99s management and to the CSO. Non-\n       compliance may subject the user to disciplinary action, as well as penalties and sanctions,\n       including verbal or written warning, removal of system access privileges, reassignment to\n       other duties, criminal or civil prosecution, and/or removal from Federal service,\n       depending on the severity of the violation.\n   \xef\x82\xb7   The agency is currently developing annual PII responsibilities awareness and\n       acknowledgement.\n\nThe following agency policies, procedures, and guidance have been developed and documented\nin compliance with OMB M-06-16, Protection of Sensitive Agency Information:\n\n   \xef\x82\xb7   Yellow Announcement YA-09-0035, Information Technology Security Policy \xe2\x80\x93 Laptop\n       Security Policy, April 2, 2009: Announced new policy for laptop security, including\n       requirement that laptops use full disk encryption.\n   \xef\x82\xb7   Laptop Security Policy, April 2, 2009.\n   \xef\x82\xb7   Yellow Announcement YA-08-157, Information Technology Security Policy \xe2\x80\x93\n       Encryption of Data at Rest, December 19, 2008: Announced new encryption of data at\n       rest policy and NUREG/BR-168, Revision 4.\n   \xef\x82\xb7   Computer Security Policy for Encryption of Data at Rest When Outside of Agency\n       Facilities, Effective December 31, 2008\n   \xef\x82\xb7   NUREG/BR-0168, Revision 4, Guide for IT Security, Policy for Processing Unclassified\n       Safeguards Information on NRC Computers, Effective December 31, 2008.\n   \xef\x82\xb7   Yellow Announcement YA-06-0069, Protection of PII, September 19, 2009 (regarding\n       requirement #2 from OMB M-06-16): NRC remote broadband access through Citrix\n       implements two-factor authentication by requiring two separate object authentications to\n       obtain access to the NRC remote access services: (1) a digital certificate and (2) a user\n       name and password. The user name and password are not stored on the workstation and\n       are independent of the digital certificate authentication. However, it does not meet the\n       criterion for \xe2\x80\x9ca device separate from the computer gaining access.\xe2\x80\x9d Because the risk\n       associated with the lack of a separate device is low, the Executive Director for Operations\n       endorsed access to PII through Citrix broadband at this time. The staff will be further\n       evaluating the use of a separate device as part of our long-term actions. In the interim,\n       the staff is prohibited from accessing systems containing PII through a dial-up modem\n       unless they use an NRC laptop that is configured in accordance with security\n       requirements approved by OIS. This prohibition does not apply to employees remotely\n       accessing the Human Resources Management System or Employee Express to update\n       their own personal information. Implementation of true two-factor authentication is to be\n       implemented in FY 2011.\n   \xef\x82\xb7   Yellow Announcement YA-08-092, Information Technology Implementation Policy \xe2\x80\x93\n       Computer Security Information Protection Policy, June 26, 2008: Announced revised\n       Computer Security Information Protection Policy to address the time-out requirement in\n       M-06-16.\n   \xef\x82\xb7   Computer Security Information Protection Policy, June 26, 2008: Remote access to any\n       system that processes non-public NRC information shall be constrained by a \xe2\x80\x9ctime-out\xe2\x80\x9d\n\n\n                                               22\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n       function that requires re-authentication after 30 minutes of inactivity. Mobile device\n       access to any non-public NRC information shall be constrained by a \xe2\x80\x9ctime-out\xe2\x80\x9d function\n       that requires re-authentication after 30 minutes of inactivity.\n   \xef\x82\xb7   On September 16, 2008, the agency issued a memorandum regarding a new policy for\n       logging and erasure of all computer-readable data extracts from databases holding\n       sensitive information. The purpose of the memorandum is to expand upon previously\n       issued policies and yellow announcements regarding the protection of sensitive\n       information. The purpose of this policy is to ensure that Office Directors and Regional\n       Administrators are aware of their responsibility to know where their sensitive information\n       resides, when that information leaves their office\xe2\x80\x99s control, and that the information is\n       appropriately protected.\n\n       On February 12, 2009, the NRC EDO withdrew the above-mentioned policy for logging\n       and erasure of all computer-readable extracts from databases holding sensitive\n       information. As most agencies are struggling with finding a way to implement the\n       database extract logging requirement, OMB is reexamining the requirement and will be\n       providing new guidance. Once the new guidance is received, the agency will issue an\n       appropriate policy. The requirement to log extracts of PII specified in YA-2006-069\n       remains in effect.\n\nThe following agency policies, procedures, and guidance have been developed and documented\nin compliance with OMB M-06-15, Safeguarding Personally Identifiable Information:\n\n   \xef\x82\xb7   The agency sends out periodic reminders, typically via yellow announcement, to\n       employees about their responsibilities for safeguarding PII, the rules for acquiring and\n       using such information, as well as penalties for violating these rules. Announcements are\n       sent at least once a year and can also be found on the agency\xe2\x80\x99s Privacy Act Program Web\n       page.\n   \xef\x82\xb7   The agency conducts reviews of agency policies and processes and has included the\n       results of those reviews with their annual FISMA submissions, as directed by OMB,\n       since the FY 2006 FISMA submission.\n   \xef\x82\xb7   On January 22, 2009, via yellow announcement, the agency announced the republication\n       of the agency\xe2\x80\x99s Privacy Act systems of records notices. The notices were published in\n       their entirety in the Federal Register on January 6, 2009. The yellow announcement\n       reminded employees of their responsibility to familiarize themselves with current\n       guidance and procedures addressing privacy at the NRC and included links to NRC\n       internal Web pages related to privacy at the NRC.\n\nNRC Is Managing and Operating a Privacy Program In Compliance With Its Policies\n\nThe agency is managing and operating a privacy program, which is described in MD and\nHandbook 3.2, Privacy Act, dated June 27, 2007. The agency also maintains a Privacy Act\nProgram Web site, which includes guidance on various topics related to the Privacy Act. The\nagency also maintains a separate Web page dedicated to the protection of PII. This Web page\ndescribes the agency\xe2\x80\x99s activities related to the protection of PII and contains information such as\n(1) frequently asked questions; (2) how to report inadvertent releases of PII; (3) links to OMB,\n\n\n                                                 23\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nOffice of Personnel Management, and NRC PII policy; (4) information on the agency\xe2\x80\x99s PII task\nforce (e.g., background and charter, membership, and meeting minutes); and (5) information on\nautomated tools available to assist in searching for files that contain PII.\n\nA Policy for PIAs Has Been Developed and Documented\n\nCarson Associates evaluated the agency\xe2\x80\x99s PIA process against the questions from the PIA and\nWeb Privacy Policies and Processes section of the Senior Agency Officials for Privacy Section\nof the OMB FISMA Reporting Tool.\n\nDoes the agency have a written policy or process for determining whether a PIA is needed?\n\nMD and Handbook 3.2 requires office directors and regional administrators to ensure that PIAs\nare prepared and submitted to OIS before developing or procuring IT that collects, maintains, or\ndisseminates personal information about individuals or when initiating a new electronic\ncollection of personal information in identifiable form16 from 10 or more persons. In accordance\nwith the agency\xe2\x80\x99s project management methodology, a PIA is required for all investments at the\ninception phase of the development life cycle. PIAs are also part of the agency\xe2\x80\x99s certification\nand accreditation process. ISS-01-001, Revision 0, PIA Procedures, dated August 30, 2006,\nrequires a PIA (or update of an existing PIA) for each legacy system requiring recertification and\nre-accreditation.\n\nDoes the agency have a written policy or process for conducting a PIA?\n\nThe agency has developed procedures (ISS-01-001) and a template for conducting PIAs. The\nprocedures provide a detailed discussion of how to complete a PIA and include guidance on how\nto complete certain questions on the PIA. MD and Handbook 3.2 requires the OIS Business\nProcess Improvement and Applications Division (BPIAD) Director to ensure that PIAs are\nconducted, reviewed, and approved before NRC collects information in an identifiable form or\nbefore developing or procuring IT that collects, maintains, or disseminates such information.\nThe OIS Information and Records Services Division (IRSD) Director is required to ensure that\nPIAs are reviewed to address the applicability of the Privacy Act, the Paperwork Reduction Act\ninformation collections requirements, and records management requirements. Once IRSD has\ncompleted its review and approved a PIA, IRSD is responsible for declaring the PIA as an\nofficial agency record in the agency\xe2\x80\x99s records management system.\n\nDoes the agency have a written policy or process for evaluating changes in business process or\ntechnology that the PIA indicates as necessary?\n\nPIAs are part of the agency\xe2\x80\x99s project management methodology and certification and\naccreditation process. Any changes in business process or technology indicated by a PIA would\nbe handled in accordance with these processes.\n\n\n\n16\n     Information in identifiable form is information that permits the identity of the individual to whom the information\n     applies to be reasonably inferred directly or indirectly.\n\n\n                                                            24\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nDoes the agency have a written policy or process for ensuring that system owners and privacy\nand IT experts participate in conducting the PIA?\n\nOffices/system owners are responsible for preparing a PIA for each IT project/system they\nsponsor and submitting it to OIS for review and approval. The PIA undergoes review several\ntimes during development by privacy and IT experts, including the agency Privacy Program\nOfficer, IRSD privacy and records staff, the computer security team, and the agency\xe2\x80\x99s Senior\nAgency Information Security Officer.\n\nDoes the agency have a written policy or process for making PIAs available to the public in the\nrequired circumstances and for making PIAs available in other than required circumstances?\n\nPIAs for systems that collect information from or about members of the public are made publicly\navailable and posted on the NRC external Web site, unless making the PIA public would raise\nsecurity concerns or reveal classified (i.e., national security) or sensitive information (e.g.,\npotentially damaging to a national interest, law enforcement effort, or competitive business\ninterest) contained in the assessment. The sponsoring office is responsible for performing the\nreview that determines if the PIA can be made public or not. Should an office wish to post on\nthe external Web site a PIA that does not collect information from or about members of the\npublic, the office must inform the Privacy Program Officer that it has completed a review and\nthat there is nothing in the PIA that would preclude it from being made public. The Privacy\nProgram Officer changes the availability of the document in the agency\xe2\x80\x99s records management\nsystem and has it posted on the agency\xe2\x80\x99s external Web site.\n\nNRC Has Fully Implemented Its PIA Policy and is Managing and Operating a Process for\nPerforming PIAs\n\nTo determine if the agency has fully implemented the PIA policy and is currently managing and\noperating a process for performing adequate PIAs, we reviewed the PIAs for the four systems\nselected for evaluation during the FY 2009 independent evaluation. The PIAs were completed\nand reviewed in accordance with NRC policy. The Privacy Act does not apply to three of the\nsystems and does apply to one of the systems.\n\n3.10   Configuration Management (Question 7)\n\n3.10.1 Security Configuration Policy and Common Security Configurations\n\n                           OMB Requirement                                        OIG Response\n 7.a. Is there an Agency-wide security configuration policy?                Yes\n 7.b. For each OS/platform/system for which your Agency has a\n configuration policy, please indicate the status of implementation for\n that policy.\n\nFISMA requires agencies to develop policies and procedures that ensure compliance with\nminimally acceptable system configuration requirements as determined by the agency. NIST SP\n800-53 requires organizations to: (1) establish mandatory configuration settings for information\n\n\n                                                25\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\ntechnology products employed within the information system, (2) configure the security settings\nof information technology products to the most restrictive mode consistent with operational\nrequirements, (3) document the configuration settings, and (4) enforce the configuration settings\nin all components of the information system.\n\nThe agency has implemented several policies that address security configurations and their\nimplementation. System security screening guidelines were developed to prepare new systems\nfor implementation into the NRC production operating environment. The security screening\nensures that system configurations meet NRC network security requirements. The guidelines\noutline the steps necessary to request and perform the security screening process, provide\nguidance on managing and developing a secure system, and list industry best practices and\nadditional resources.\n\nThe agency has also posted guidance on the NRC internal Web site requiring the use of\nhardening specifications for the different operating systems and software in use at the agency.\nHardening specifications in use at the agency include benchmarks developed by the Center for\nInternet Security (CIS), the Defense Information Systems Agency (DISA) Gold Disk,17 National\nSecurity Agency (NSA) security configuration guides, and custom hardening specifications\ndeveloped by the agency. The agency requires the use of the most recent version of the specified\nhardening specifications.\n\nNRC Security Configuration Policy\n\nThe agency\xe2\x80\x99s security configuration policy is described in the system screening guidelines for\nthe NRC network, and on the CSO\xe2\x80\x99s Standards Web page. In addition, all systems are required\nto undergo vulnerability scanning and penetration testing as a part of security test and evaluation\nduring the certification and accreditation process. The purpose of the vulnerability scanning and\npenetration is, in part, to determine whether the system\xe2\x80\x99s configuration is compliant with the\nestablished agency configuration standards.\n\nThe NRC has established a configuration policy for the following operating systems, platforms,\nand systems:\n\nNRC-Developed\n\n       \xef\x82\xb7   Stealth MXP Thumb Drive Configuration Standard\n       \xef\x82\xb7   NRC General Laptop Configuration Guidance\n       \xef\x82\xb7   NRC Laptop Configuration Standards\n       \xef\x82\xb7   Linux Red Hat Hardening Guidelines\n       \xef\x82\xb7   VMWare Hardening Guidelines\n       \xef\x82\xb7   Microsoft Windows 2003 Servers\n\n\n17\n      The DISA Gold Disk is a tool that allows a system administrator to scan a system for vulnerabilities, make\n     appropriate security configuration changes, and apply security patches. The Gold Disk uses an automated process\n     that configures a system in accordance with DISA Security Technical Implementation Guidelines.\n\n\n                                                           26\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n   \xef\x82\xb7   NRC Web 2.0 Implementation Standard\n   \xef\x82\xb7   NRC YouTube Standard\n\nIndustry Standards (e.g., CIS Benchmarks, DISA standards, and/or NSA standards)\n\n   \xef\x82\xb7   AIX\n   \xef\x82\xb7   HP-UX\n   \xef\x82\xb7   Mac OS X Systems\n   \xef\x82\xb7   Novell NetWare\n   \xef\x82\xb7   Solaris\n   \xef\x82\xb7   Microsoft Windows 2000 Servers\n   \xef\x82\xb7   Microsoft Windows 2008 Servers\n   \xef\x82\xb7   Microsoft Window XP Professional\n   \xef\x82\xb7   Microsoft Windows 2000 Professional\n   \xef\x82\xb7   Microsoft Windows 2003 Security Checklist\n   \xef\x82\xb7   Microsoft Windows 2008 Security Checklist\n   \xef\x82\xb7   Microsoft Exchange 2003 Security Technical Implementation Guide\n   \xef\x82\xb7   Cisco IOS Router (Level 1 and Level 2)\n   \xef\x82\xb7   Cisco PIX Firewall (Level 1 and Level 2)\n   \xef\x82\xb7   Apache Web Server (Level 1 and Level 2)\n   \xef\x82\xb7   Exchange Server 2003\n   \xef\x82\xb7   Oracle Database 8i (Level 1 and Level 2)\n   \xef\x82\xb7   Oracle Database 9i (Level 1 and Level 2)\n   \xef\x82\xb7   Oracle Database 10g (Level 1 and Level 2)\n   \xef\x82\xb7   SQL Server 2000 (Level 1 and Level 2)\n   \xef\x82\xb7   Internet Explorer\n   \xef\x82\xb7   Internet Information Services V 5.0\n   \xef\x82\xb7   Internet Information Services V 5.0\n   \xef\x82\xb7   Microsoft Office\n   \xef\x82\xb7   Netscape Navigator\n   \xef\x82\xb7   Microsoft .NET Framework\n   \xef\x82\xb7   Systems Management Servers 2003\n\nNRC Security Configuration Policy Implementation Status\n\nTo determine the status of the implementation of agency configuration policies, Carson\nAssociates reviewed various security documentation for the four systems selected for evaluation\nin FY 2009, including security plans, security test and evaluation reports, and vulnerability\nassessment reports. The agency performs a vulnerability assessment during security control\n\n\n                                               27\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\ntesting, which includes vulnerability scans, penetration tests, and hardening checks using the\nfollowing tools:\n\n   \xef\x82\xb7   Nessus \xe2\x80\x93 A general-purpose scanning tool that provides information on network-based\n       vulnerabilities.\n   \xef\x82\xb7   DISA Gold Disk \xe2\x80\x93 A Department of Defense tool that tests Windows-based hosts for\n       compliance with the DISA Gold standard, including file and registry access control and\n       auditing settings, running services, installed applications and patches, and user rights.\n   \xef\x82\xb7   CORE Impact \xe2\x80\x93 A specialized penetration testing tool that provides automated testing of\n       known exploits against detected platforms, protocols, and services.\n   \xef\x82\xb7   CIS Benchmarks \xe2\x80\x93 NRC-approved security hardening specifications for a variety of\n       platforms and software, prepared by CIS (http://www.cisecurity.org/).\n   \xef\x82\xb7   NRC Linux Benchmark \xe2\x80\x93 An NRC-approved security hardening specification for the\n       Linux systems that was developed from the Red Hat Linux Benchmark by CIS.\n\nThe following operating systems, platforms, and systems were identified for the four systems\nselected for evaluation in FY 2009.\n\n   \xef\x82\xb7   IBM AIX 5\n   \xef\x82\xb7   Cisco IOS\n   \xef\x82\xb7   Cisco PIX Firewall\n   \xef\x82\xb7   Red Hat Enterprise Linux 4\n   \xef\x82\xb7   Sun Solaris 10\n   \xef\x82\xb7   Microsoft SQL Server 2000\n   \xef\x82\xb7   Microsoft SQL Server 2005\n   \xef\x82\xb7   Microsoft Windows Server 2000\n   \xef\x82\xb7   Microsoft Windows Server 2003\n   \xef\x82\xb7   Microsoft Windows NT\n   \xef\x82\xb7   Microsoft Windows XP\n\nWhile the agency has a configuration policy for additional operating systems, platforms, and\nsystems, Carson Associates could only form an opinion on the status of the implementation of\nagency configuration policies for those operating systems, platforms, and systems found in the\nfour systems selected for evaluation in FY 2009. Carson Associates determined that the\nimplementation status of the relevant policies is mid-implementation.\n\n\n\n\n                                                28\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n3.10.2 Federal Desktop Core Configuration (FDCC)\n\n                           OMB Requirement                                        OIG Response\n 7.c. Indicate the status of the implementation of Federal Desktop\n Core Configuration (FDCC) at your Agency:\n       7.c(1). Agency has documented deviations from FDCC standard\n                                                                            Yes\n       configuration.\n       7.c(2). New Federal Acquisition Regulation 2007-004 language,\n       which modified \xe2\x80\x9cPart 39\xe2\x80\x94Acquisition of Information\n                                                                            No\n       Technology,\xe2\x80\x9d is included in all contracts related to common\n       security settings.\n\nCarson Associates reviewed several agencywide announcements and determined that the agency\nhas adopted and implemented FDCC standard configurations. Carson Associates reviewed the\nagency\xe2\x80\x99s reports to OMB and NIST and determined that the agency has documented deviations.\nFor example, on April 6, 2009, the agency\xe2\x80\x99s designated approving authority approved a deviation\nfrom FDCC regarding password aging. The agency adjusted the FDCC password to a longer\ntime period while retaining the existing minimum password length and password complexity\nrequirements. The rationale for the change was to reduce the burden on the user community\nassociated with the shorter password age.\n\nIn response to a recommendation regarding the implementation of FDCC at NRC from the FY\n2008 FISMA independent evaluation, the CSO in coordination with OIS has developed the\nfollowing standards and provided them on the CSO Web page:\n\n   \xef\x82\xb7   Configuration standards for NRC laptops.\n   \xef\x82\xb7   Guidance for general laptops.\n   \xef\x82\xb7   Procedures for applying critical updates to Safeguards Information (SGI) laptops.\n   \xef\x82\xb7   An SGI Stand Alone Listed System Minimum Security Checklist to ensure appropriate\n       laptop configuration.\n   \xef\x82\xb7   Standard system security plans for NRC laptops.\n   \xef\x82\xb7   Laptop security policy provided via memo to office directors and regional administrators\n       and yellow announcement to staff.\n\nOIS procedures require the use of standard images for desktop and laptop computers. All\ncomputers connected to the NRC network receive FDCC settings through the use of group policy\nobject settings. Computers that are not attached to the network (standalone systems) are loaded\nwith these controls as part of the standard configuration image, and additional controls are\nimplemented through local security policy.\n\nIn addition, the agency has deployed NIST-validated Security Content Automation Protocol\n(SCAP) scanning tools to scan a sample of network hosts. Standalone computers are scanned\nperiodically as they are brought in for service. The SCAP tools are also used to verify that the\nagency is compliant with FDCC during the system certification and accreditation process. The\n\n\n                                                29\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nCSO is currently fielding its Information Assurance System (IAS) to provide real-time\nassessment of FDCC compliance for networked computers as part of its continuing monitoring\nassurance activities. This completion of the IAS will provide agencywide, real-time FDCC\nassessments. The system is currently scheduled for completion in FY 2010.\n\nThe agency also uses the System Center Configuration Manager patch management system to\nkeep desktop configurations consistent across NRC. Network Bulletins are used to announce\nagency workstation updates. The announcements describe the nature of the upgrade and whether\nor not a workstation restart is required after the patches are installed.\n\nIn the agency\xe2\x80\x99s September 5, 2008, FDCC status update to OMB, the agency reported the\nfollowing:\n\n   \xef\x82\xb7   Total number of managed desktops and laptops (Windows XP SP2):                5,077\n   \xef\x82\xb7   Total number of XP desktops and laptops that are FDCC compliant:                  0\n\nThe agency has adopted and implemented FDCC standard configurations and has documented\nthe deviations. Of the 354 settings that were tested: 332 settings passed, 22 settings failed. The\nraw score is 93.8 percent. Of the 22 settings that failed, one setting does not apply to Internet\nExplorer version 6, and so is a false failure. Three settings reference a local support account that\ndoes not exist on the desktops/laptops in the NRC environment, thus resulting in failures.\nHowever, restrictions are set appropriately in the group policy. The remaining 18 settings that\nfailed FDCC compliance have been documented. Taking these four settings into account, the\nNRC passes 332 settings out of 350 applicable settings. The adjusted score is 94.8 percent.\n\nThe Division of Contracts has updated their contracts writing system to include the revised\npolicy in Federal Acquisition Regulation 39.101. However, the CSO and Office of\nAdministration, Division of Contracts are still in the process of developing standard contract\nlanguage and clauses that specify which IT security policies and requirements, including the use\nof common security configurations, should be included in IT acquisition contracts as required by\nFederal Acquisition Regulation 39.101. It should be noted that the agency does include some IT\nsecurity-related sections and references in their IT acquisition contracts, including NRC IT\nsecurity training, NRC Management Directives and Handbooks related to security, badge\nrequirements for unescorted access to NRC facilities, and security requirements for IT access\napproval.\n\n3.11   Incident Reporting (Question 8)\n\n                            OMB Requirement                                       OIG Response\n 8.a. How often does the Agency comply with documented policies and\n                                                                             91% to 100%\n procedures for identifying and reporting incidents internally?\n 8.b. How often does the Agency comply with documented policies and\n                                                                             91% to 100%\n procedures for timely reporting of incidents to US-CERT?\n 8.c. How often does the Agency comply with documented policy and\n                                                                             91% to 100%\n procedures for reporting to law enforcement?\n\n\n                                                 30\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\nOn May 2, 2008, the agency issued a revised policy on computer security incident response and\nPII incident response. The policy provides direction for responding to computer security\nincidents affecting the NRC\xe2\x80\x99s systems, networks, and users, as well as PII incidents and will be\nincluded in the next revision of MD 12.5. The revised policy contains time frames for\nresponding to such incidents, based on the criticality of the affected resources and the incident;\nformally establishes a Computer Security Incident Response Team (CSIRT) to respond to such\nincidents; and outlines the CSIRT\xe2\x80\x99s security incident response process. The CSIRT will include\nstaff from the following offices: CSO, OIS, Office of Administration, and Office of Nuclear\nSecurity and Incident Response.\n\nIn addition to forming CSIRT, the agency has developed the following policies and guidelines\nrelated to detecting, reporting, and responding to security incidents. These documents include\nguidance on reporting incidents internally, reporting incidents to US-CERT, and reporting to law\nenforcement.18\n\n       \xef\x82\xb7    Computer Security Incident Response Policy, May 14, 2008.\n       \xef\x82\xb7    Information Systems Security Incident Response Procedures, May 11, 2004 (Appendix B\n            from MD 12.5).\n       \xef\x82\xb7    Draft CSIRT Responder Guide, February 25, 2009.\n       \xef\x82\xb7    Draft CSIRT Standard Operating Procedures, October 30, 2008.\n\nThe agency uses two tools for tracking incidents. An incident report form is used to capture the\nfull details of each incident reported to or discovered by the incident response team. An incident\nresponse tracking sheet is used to capture summary information for each incident. This tracking\nsheet provides high-level metrics regarding all incidents. The team performs self-audits of the\nincident report forms to ensure there is a form for each entry on the tracking sheet and that each\nentry on the tracking sheet has a corresponding incident report form. This self-audit is\nperformed at least quarterly.\n\nCSIRT also conducts periodic incident response testing. The most recent test was in June 2009.\nThe agency performed a table-top exercise of the CSIRT response to a Category 1 incident\n(unauthorized access). The test results were documented and included a description of the\nscenario and responses to scenario questions on preparation; response and analysis; containment,\neradication, and recovery; and forensics. The test results also included a checklist of actions that\nshould have been taken during the exercise and documented lessons learned.\n\nIn order to determine how often the agency complies with documented policies and procedures\nrelated to incident reporting, Carson Associates met with NRC staff responsible for incident\nreporting and reviewed the incident response tracking form used by the agency.\n\n\n\n18\n     CSIRT does not report incidents directly to law enforcement. If an incident might warrant reporting to law\n     enforcement, CSIRT notifies the OIG Computer Crimes Unit, who then decides whether or not external law\n     enforcement should be involved.\n\n\n                                                           31\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n3.12   Security Awareness Training (Question 9)\n\n                            OMB Requirement                                        OIG Response\n 9.a. Has the Agency developed and documented an adequate policy\n for identifying all general users, contractors, and system\n                                                                             Yes\n owners/employees who have log-in privileges, and providing them\n with suitable IT security awareness training?\n 9.b. Report the following for your Agency:\n       9.b(1). Total number of people with log-in privileges to Agency\n                                                                             4,840\n       systems.\n       9.b(2). Number of people with log-in privileges to Agency\n       systems that received information security awareness training\n       during the past fiscal year, as described in NIST Special             4,730 (98%)\n       Publication 800-50, \xe2\x80\x9cBuilding an Information Technology\n       Security Awareness and Training Program.\xe2\x80\x9d\n       9.b(3). Total number of employees with significant information\n                                                                             403\n       security responsibilities.\n       9.b(4). Number of employees with significant security\n       responsibilities that received specialized training, as described\n                                                                             130 (32%)\n       in NIST SP 800-16, \xe2\x80\x9cInformation Technology Security Training\n       Requirements: A Role- and Performance-Based Model.\xe2\x80\x9d\n\nAll new NRC employees (including onsite contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, employees are given\na brief presentation, which includes a discussion on appropriate use of information technology\nequipment. In addition, a representative from the Office of the General Counsel presents a\nsession on ethics that includes additional discussions on appropriate use of the Internet. In\naddition, all NRC computer users, including federal employees, detailees, interns, and\ncontractors, are required to take an online computer security awareness course.\n\nThe agency also routinely issues network announcements on various security topics, including\nhoax e-mail messages, phishing and spear phishing, spam, and the risks of using thumb drives.\nIn the spring of 2009, NRC began publishing a quarterly IT security newsletter, FRONTLINE.\nThe newsletters will provide the NRC with IT security awareness tips and techniques for\nprotecting one\xe2\x80\x99s information.\n\nAnnual IT Security Awareness Training\n\nNRC meets the Office of Personnel Management requirement to expose employees to security\nawareness materials at least annually by (1) mandating all NRC staff take annual IT security\nawareness training and by documenting who takes the annual training; and (2) using posters,\nflyers, Web pages, and NRC announcements.\n\n\n\n\n                                                32\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\nFor FY 2009, all NRC computer users, including federal employees, detailees, interns, and\ncontractors, were required to take an online computer security awareness course. All NRC\nemployees and support contractors having network accounts were required to complete the\ncourse within 60 days of the course\xe2\x80\x99s availability, with a target cut-off date of August 3, 2009,\nfor completion of the course. The self-paced course consisted of two modules \xe2\x80\x93 a general\ncomputer security awareness training module using ISS Line of Business (LoB) approved\ncourseware tailored to the general federal population, and an NRC-specific module tailored to\naddress protection of SGI and rules of behavior for all users of NRC computing resources.\nCompletion of both modules was required to fulfill the annual computer security requirement.\nThe agency also prepared a list of differences between NRC policy and the course content of the\nfirst module as a companion document to the FY 2009 training. Office training coordinators\nwere required to track completion of the computer security awareness course and report weekly\ncompletion percentages to the CSO\xe2\x80\x99s office. In an announcement dated August 4, 2009, the\nagency reported 4,726 users had completed the FY 2009 computer security awareness course \xe2\x80\x93\nthe equivalent of 97 percent of NRC computer users. The CSO\xe2\x80\x99s IT Security Training Web site\nalso includes a link to a Web page showing the completion rate for the IT security awareness\ntraining by office.\n\nIT Security Awareness Training for Employees With Significant IT Security\nResponsibilities (Role-Based Training)\n\nOn April 3, 2008, the CISO issued a memorandum asking for support and action to ensure that\nall employees with significant IT security responsibilities are appropriately identified. The\nmemorandum requires recipients of the memorandum to report back to the CISO by July 1,\n2008, on the names of employees within their organization that have an IT security role as part of\ntheir official duties. A second data call was issued July 13, 2009, asking recipients of the\nmemorandum to review and update the information provided in response to the April 2008 data\ncall. The memorandum requires recipients to report back to the CSO by August 10, 2009.\n\nThe agency also developed an IT Role-Based Training plan that states the requirement for\ntraining for those with significant IT responsibilities, the type of training expected for each role,\nand frequency of training per role. System owners are responsible for using the training plan\nprocedures to address the training needs of his/her personnel with IT roles. The training plan\ndefines the following IT security roles with significant IT security responsibilities that require\nrole-based training.\n\n   \xef\x82\xb7   IT Executive.\n   \xef\x82\xb7   System Owner.\n   \xef\x82\xb7   IT Auditor.\n   \xef\x82\xb7   IT Functional Manager.\n   \xef\x82\xb7   IT Senior Approving Official.\n   \xef\x82\xb7   IT Functional Management and Operations Personnel (including Information Systems\n       Security Officers (ISSO), database administrator, network administrator system\n       administrator, and IT manager).\n   \xef\x82\xb7   IT System Development Official.\n\n\n                                                  33\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n   \xef\x82\xb7   IT Project Officer.\n   \xef\x82\xb7   IT System Developer.\n\nNRC is pursuing three approaches to address IT role-based training: NRC-provided resident\ncourses, use of ISS LoB providers, and commercially provided training and certifications.\n\n   \xef\x82\xb7   NRC-provided courses: The agency already provides IT security awareness training\n       courses for ISSOs and for system and network administrators. These courses must be\n       taken upon appointment to the role and every 3 years thereafter. The ISSO course was\n       updated in June 2009, and the system and network administrator course was updated in\n       December 2008. In addition, the agency provided a Defense in Depth \xe2\x80\x93 Securing\n       Windows Server 2003 course to approximately 20 employees in January 2008 and\n       provided role-based training for system owners in August 2008. The CSO also provided\n       system administrators and ISSOs with a Microsoft Framework Essentials 4.0 Managing\n       Change/Configuration/Risk course. The CSO is working with a contractor to draft and\n       present additional specific role-based courses that address the following roles: ISSO,\n       System Administrator, IT Manager, System Owner, Executive, and Senior Manager.\n   \xef\x82\xb7   ISS LoB Providers: The CSO coordinated with the Department of Defense for the use of\n       its ISS LoB approved courseware for agencywide general computer security awareness.\n   \xef\x82\xb7   Commercial Training: The CSO IT Security Role-Based Training Web page provides\n       lists of commercially available training in three areas: technical certification/courses,\n       operating system-specific or database certifications/courses, and managerial/project\n       management certification/courses. The Web page also provides a crosswalk between the\n       12 IT security roles and the commercially available training.\n\n3.13   Peer-to-Peer File (P2P) Sharing (Question 10)\n\n                            OMB Requirement                                        OIG Response\n 10. Does the Agency explain policies regarding the use of peer-to-\n peer file sharing in IT security awareness training, ethics training, or    Yes\n any other Agency-wide training?\n\nIn 2007, the Executive Director for Operations in a memorandum to the Commission\nrecommended prohibiting the installation of P2P software on NRC computers without explicit\nwritten approval of the NRC Designated Approving Authority. In February 2008, the agency\nissued a yellow announcement on P2P software that states:\n\n       All employees, including staff and contractors, are prohibited from installing P2P\n       software on agency computers without the explicit written approval of an agency\n       Designated Approving Authority. In addition, employees are prohibited from\n       processing Sensitive Unclassified Non-Safeguards Information (SUNSI) on home\n       computers unless connected to and working within CITRIX, the NRC Broadband\n       Remote Access System. Employees are prohibited from downloading or storing\n       SUNSI to the hard drive of a home computer when connected to and working\n       within CITRIX. Employees are also prohibited expressly from processing SUNSI\n\n\n                                                 34\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n       on home computers even when a floppy disk, CD, DVD, or thumb drive is the\n       storage media. Employees who work at home must perform electronic processing\n       of SUNSI on either (1) a home computer within the virtual environment provided\n       by the agency through CITRIX; or (2) an NRC-issued laptop with NRC-approved\n       encryption software.\n\nThe CSO\xe2\x80\x99s IT Security Policies Web page specifically states that the installation of P2P software\non NRC computers is prohibited unless explicitly approved by the NRC Designated Approving\nAuthority in writing. The CSO\xe2\x80\x99s Web site also provides some P2P frequently asked questions.\nThe FY 2009 online computer security awareness course discussed the use of P2P and file-\nsharing software.\n\n\n\n\n                                               35\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              36\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n4      Report Recommendation\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Develop and implement procedures to ensure interface information is kept up-to-date.\n\n\n\n\n                                              37\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              38\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n5      Agency Comments\n\nAt an exit conference on October 30, 2009, agency officials agreed with the report\xe2\x80\x99s findings and\nrecommendation and provided some editorial changes, which the OIG incorporated as\nappropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                               39\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              40\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n                                                                                       Appendix\n\nSCOPE AND METHODOLOGY\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA\nfor FY 2009. To conduct the independent evaluation, the team met with agency staff responsible\nfor implementing the agency\xe2\x80\x99s information system security program, reviewed certification and\naccreditation documentation for the agency\xe2\x80\x99s operational information systems, and reviewed\nother documentation provided by the agency that demonstrated its implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xef\x82\xb7   National Institute of Standards and Technology standards and guidelines.\n   \xef\x82\xb7   Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Security Program.\n   \xef\x82\xb7   NRC Office of the Inspector General audit guidance.\n\nThis work was conducted between April 2009 and September 2009. Any information received\nfrom the agency subsequent to the completion of fieldwork was incorporated when possible.\nThe work was conducted by Jane M. Laroussi, CISSP; Virgil Isola, CISSP; and Edwin Caron,\nCISA, from Richard S. Carson and Associates, Inc.\n\n\n\n\n                                              41\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2009\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              42\n\x0c'